test: e2e for TrafficProtectionPolicy Enforce serving traffic (#243)#245
Merged
Conversation
Chainsaw regression for #243. Deploys a backend, a Gateway on the WAF GatewayClass with an HTTPRoute, and a TrafficProtectionPolicy in Enforce mode, then probes the downstream Envoy over the wire and asserts a benign GET returns 200 rather than the empty/5xx reply the unescaped error-page body produces. Gateway.status.Programmed alone is insufficient — Envoy Gateway reports it from its own translation, independent of Envoy's xDS ACK — so the test asserts on an actual HTTP response. Requires the WAF data plane (extension-server + the extensionManager Envoy Gateway on the datum-downstream-gateway class); environments without it skip via the unmet Programmed assertion. Refs #243 Key changes: - add test/e2e/trafficprotectionpolicy-enforce/chainsaw-test.yaml
The hostname binding referenced $namespace at spec level, where it is not yet defined, so chainsaw aborted the test with "variable not defined: $namespace" before any step ran. Move the binding into the two steps that use it, where the per-test namespace is in scope. Verified against the fixed operator image on the local WAF stack: the test now runs and passes (benign GET returns the backend's 200).
Contributor
Author
|
oh ok, the red test in this is because the fixes arent in this branch. it proves the negative right now. whew |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Chainsaw e2e regression for #243. Deploys a backend, a Gateway on the WAF
datum-downstream-gatewayclass with an HTTPRoute, and aTrafficProtectionPolicyinEnforcemode, then probes the downstream Envoy over the wire and asserts a benignGETreturns 200 — not the empty/5xx reply the unescaped error-page body produces.Gateway.status.Programmedalone is insufficient: Envoy Gateway reports it from its own translation, independent of Envoy's xDS ACK. So the test asserts on an actual HTTP response.Precondition
Requires the WAF data plane on the downstream cluster (extension-server + the extensionManager Envoy Gateway registered on the
datum-downstream-gatewayclass + the Coraza filter). Stockmake prepare-infra-clusterdoes not install this; environments without it skip via the unmetProgrammedassertion.Proof (this exact test, same fresh-fleet harness, only the operator image differs)
HTTP 000empty reply, test FAILS → https://gist.github.com/ecv/e47733b657475887c4c29cced339512aHTTP 200, test PASSES → https://gist.github.com/ecv/4c601d3d96fd5b317c5f3b814bbdd510The fix is in #244.
Refs #243.